You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on Jul 30, 2024. It is now read-only.
The login view is a NextFormMixin subclass, so it accepts a next parameter. As I understand it, the parameter can be a URL, a path or an endpoint. If you use a simple endpoint like "index", it works as expected and redirects to the provided endpoint on login.
However, endpoints in a blueprint have a period, like "User.profile". If you pass this kind of endpoint to 'next', the login view will treat it like a path and send you to e.g. http://localhost:4000/User.profile. This happens because validate_redirect_url() returns True for the blueprint endpoint. This, in turn, means that get_post_action_redirect() will use the very first URL in its list, which is just the raw endpoint name. It doesn't get to the 3rd element of the list, which is the result of get_url(request.form.get('next')) and is the correct path.
I am not sure what the right solution to this problem is. Perhaps the declared value should be compared with a list of the application's registered endpoints either in validate_redirect_url() or just before it's called. Or perhaps declared should be added later in the list so that the resolved endpoint will be evaluated first. URLs should return None when passed to get_url(), so while this will change precedence, it shouldn't change the outcome. Paths which contain a slash should work the same. Is there a similar API which we can model the behavior on?
As a workaround, I'm using the request's path in my decorator instead of passing the endpoint.
The login view is a
NextFormMixin
subclass, so it accepts a next parameter. As I understand it, the parameter can be a URL, a path or an endpoint. If you use a simple endpoint like "index", it works as expected and redirects to the provided endpoint on login.However, endpoints in a blueprint have a period, like "User.profile". If you pass this kind of endpoint to 'next', the login view will treat it like a path and send you to e.g.
http://localhost:4000/User.profile
. This happens becausevalidate_redirect_url()
returnsTrue
for the blueprint endpoint. This, in turn, means thatget_post_action_redirect()
will use the very first URL in its list, which is just the raw endpoint name. It doesn't get to the 3rd element of the list, which is the result ofget_url(request.form.get('next'))
and is the correct path.I am not sure what the right solution to this problem is. Perhaps the
declared
value should be compared with a list of the application's registered endpoints either invalidate_redirect_url()
or just before it's called. Or perhapsdeclared
should be added later in the list so that the resolved endpoint will be evaluated first. URLs should return None when passed toget_url()
, so while this will change precedence, it shouldn't change the outcome. Paths which contain a slash should work the same. Is there a similar API which we can model the behavior on?As a workaround, I'm using the request's path in my decorator instead of passing the endpoint.
The text was updated successfully, but these errors were encountered: